Actually it's impossible to make webOS impenetrable as long as there's physical access. Dev Mode can be enabled by booting from installer ramdisk and adding the novacom marker back in. PIN lock can be disabled by removing the file with the encrypted PIN. The PIN itself can be decrypted if the encryption key is known (it involves a constant, and maybe the nduid, which is easily obtainable). webOS CE has the PIN lock algorithm changed into a hash, so at least that's a bit more secure. (The PIN is, if it exists, used by Key Manager to decrypt account credentials.)

The DB and file cache partitions are encrypted, but they're only somewhat secure if the device itself was not operational.

So the most physically secure devices would be a TouchPad Go (no public Doctor), and a device running Luna CE (hash instead of reversible encryption). For all other devices, credentials can't be read, but existing data can still be read.

Wow GMman, I'd heard WebOS wasn't very secure but I didn't realize just how porous it is. What about remote erase if you lose your phone? Can that be easily bypassed or defeated?

At least on the TouchPad, it uses a service for wipe verification. Supposedly if the service is deleted the device can't wipe. However, the service is only a component, and I haven't looked into the entire system.